The Hacker News — Cyber Security, Hacking, Technology News

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

Source Code of Instagram website

SSL Certificates and Private Keys for Instagram

Keys used to sign authentication cookies

Personal details of Instagram Users and Employees

Email server credentials

Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.

The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.

Exposed EVERYTHING including Your Selfies

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram's Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.

Weinberg had inadvertently stumbled upon almost EVERYTHING including:

Instagram's source code

SSL certificates and private keys (including for instagram.com and *.instagram.com)

API keys that are used for interacting with other services

Images uploaded by Instagram users

Static content from the instagram.com website

Email server credentials

iOS/Android app signing keys

Other sensitive data

"To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Weinberg wrote in his blog. "With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data."

Responsible Disclosure, but Facebook Threatens Lawsuit

Weinberg reported his findings to Facebook's security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.

In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.

Stamos "stated that he did not want to have to get Facebook's legal team involved, but that he was not sure if this was something he needed to go to law enforcement over," Weinberg wrote in his blog in a section entitled 'Threats and Intimidation.'

In response, Stamos issued a statement, saying he "did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired."

Stamos said he only told Kaplan to "keep this out of the hands of the lawyers on both sides."

"Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk," Stamos added.

Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

Here's the full statement by Facebook:

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn't pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers' hard work.

This is probably the most frequently asked question nowadays, and there are several applications available on Google Play Store and Apple App Store, which claims to offer you the opportunity to see who is looking at your Instagram profile.

But, should we believe them?

Is there really some kind of way out to know who viewed your Instagram profile?

The shortest answer to all these questions is 'NO', such functionality does not exist on Instagram at the moment.

But, thousands of users still have hope and hackers are taking advantage of this to target a broad audience.

Recently, security researchers have discovered some malicious applications on Android Google Play Store as well as iOS App Store, which are entirely a hoax, targeting Instagram users.

The iOS app is named "InstaCare - Who cares with me?" and is one of the top apps in Germany, while the Android app is dubbed "Who Viewed Me on Instagram" that has more than 100,000 downloads and 20,000 reviews.

Both the apps are developed by Turker Bayram – the same developer who created the malicious "InstaAgent" app for Android and iOS platform late last year that secretly stole users’ Instagram credentials.

The recent applications by Bayram also have the same functionality, luring Instagram users into believing that the app would let them know who viewed their profile. The app claims to:

The malicious apps abuse the authentication process to connect to Instagram and steal user's Instagram username and password, according to a blog post published by David Layer-Reiss from Peppersoft.

Since third party applications use API to authenticate themselves with the legitimate apps, users generally provide their same credentials to authenticate with different applications and services.

Here's How an App Can Hack Your Instagram Accounts

Today, it is quite easy for hackers to target large audience – Just abuse the name of a popular application and give users option beyond the legitimate one.

Users will simply provide their critical data, including their credentials, without knowing its actual consequences.

Once users install 'InstaCare' or 'Who Viewed Me on Instagram' on their iOS or Android device, they are immediately served a login window that forced victims to log in with their Instagram credentials.

Since the apps advertise itself to show you who viewed your Instagram profile, most users fall victim to the apps and enter their account credentials without a second thought.

The usernames and passwords are then encrypted and sent to the attacker's server. The attacker will then use those credentials later to secretly log on and take full control of the hacked Instagram accounts and post spams on the user's behalf.

Security researchers from Kaspersky Labs also confirmed David's findings. You can refer Kaspersky's blog post for more technical details on the malicious apps.

At the time of writing, neither Apple nor Google has removed the malicious apps from their official App Stores, which means that the malicious apps are still available to users for download.

It's not at all surprising that the play stores are surrounded by a number of malicious apps that may gain users' attention to fall victim for one.

But, the fact that both Apple and Google got fooled again by the same developer shows how hard it is to keep an eye on a developer who already published a malicious app and to manage the app stores in a secure manner.

Here's How to Protect Yourself

If you've already installed one of these apps and have now seen the error of your ways, and remove the culprit from your apps list too.

So if you have already fallen victim to this scam, hurry up!

Uninstall the apps mentioned above from your smartphone if you have one.

Just yesterday, we reported that Instagram had patched a critical API vulnerability that allowed the attacker to access phone numbers and email addresses for high-profile verified accounts.

However, Instagram hack now appears to be more serious than initially reported.

Not just a few thousands of high-profile users—it's more than 6 million Instagram users, including politicians, sports stars, and media companies, who have had their Instagram profile information, including email addresses and phone numbers, available for sale on a website, called Doxagram.

The suspected Instagram hacker has launched Doxagram, an Instagram lookup service, where anyone can search for stolen information only for $10 per account.

A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram's mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users in the JSON response—but not passwords.

Instagram has not confirmed the hacker's claims yet, but the company said Friday it is investigating the data breach.

The news comes three days after an unknown hacker hijacked most-followed-account on Instagram belonged to Selena Gomez—with over 125 Million followers—and posted her ex-boyfriend Justin Bieber's full-frontal nude photographs.

However, Instagram did not confirm if the recent data breach was related to Selena's hacked account.

The company had already notified all of its verified users of the issue via emails and also encouraged them to be cautious if they receive any suspicious or unrecognised phone call, text message, or email.

With email addresses and phone numbers in hand, the hacker's next step could be used the stolen info in tandem with social engineering techniques to gain access to verified Instagram accounts and post on their behalves in order to embarrass them.

Instagram users are also highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.

Additionally, avoid clicking on suspicious links and attachments you receive in an email and providing your personal or financial details without verifying the source properly.

The answer to this question is difficult to find, but a bug bounty hunter just did it without too many difficulties.

Belgian bug bounty hunter Arne Swinnen discovered two vulnerabilities in image-sharing social network Instagram that allowed him to brute-force Instagram account passwords and take over user accounts with minimal efforts.

Both brute-force attack issues were exploitable due to Instagram’s weak password policies and its practice of using incremental user IDs.

"This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones," Swinnen wrote in a blog post describing details of both vulnerabilities.

Brute-Force Attack Using Mobile Login API

Swinnen discovered that an attacker could have performed brute force attack against any Instagram account via its Android authentication API URL, due to improper security implementations.

According to his blog post, for first 1000 incorrect brute-force attempts on Mobile login API, Instagram responds "password you entered is incorrect," but he also noticed that for next 1000 attempts server displays, "username not found" ‒ some sort of rate limiting error responses.

However, Swinnen continued the brute force attack with patience and found that server again started displaying reliable response after the 2,000th attempt, followed by an unreliable responses (i.e. username not found).

So, an attacker could create a script that simply mounts a reliable brute-force attack and replays the inaccurate responses until a reliable one was obtained. He developed a script that tested 10,001 passwords against a targeted Instagram account.

"The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt," Swinnen said.

The worst part comes in:

The researcher was able to log into the compromised account from the same IP address that he used for carrying out brute-force attack against the password, which is the worst security practice to protect accounts against unauthorized logins.

The first vulnerability was discovered and reported to Facebook by Swinnen in late December.

Brute-Force Attack using the Web-based Registration System

The second brute-force attack vulnerability that affected Instagram's Web registration page was discovered and reported to Facebook in May by the same researcher.

The vulnerability could have allowed an attacker to carry out another trivial brute-force attack against the Instagram Web registration endpoint that did not even trigger an account lockout or other security measures.

Swinnen registered a test account on Instagram and recorded the HTTP request sent during registration.

However, after replaying the same request removing the username and password parameters, he received an error response saying "Those credentials belong to an active Instagram account."

Since there was no rate limitation activated on the registration page, Swinnen was able to brute force more than 10,000 attempts before sending over the correct username and password and receiving an affirmative response from the page.

Facebook awarded the researcher a combined bounty of $5,000 and patched both the vulnerabilities in Instagram by limiting the number of login attempts as well as hardening its password policy.

Now, Instagram no longer allows users to choose simple passwords. It now requires passwords to be a combination of numbers, letters, and punctuation. The company also recommends Instagram passwords not be used elsewhere online.

The similar steps should be adopted by every online website and services that are responsible for the security of their users.

Instead of expecting from users to keep their every online password strong and complex, it is websites and developers’ duty to enforce a strong password policy by not allowing users to sign up with weak passwords, as well as recommend users to adopt the best password manager.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Instagram has recently suffered a possibly serious data breach with hackers gaining access to the phone numbers and email addresses for many "high-profile" users.

The 700 million-user-strong, Facebook-owned photo sharing service has currently notified all of its verified users that an unknown hacker has accessed some of their profile data, including email addresses and phone numbers, using a bug in Instagram.

The flaw actually resides in Instagram's application programming interface (API), which the service uses to communicate with other apps.

Although the company did not reveal any details about the Instagram's API flaw, it assured its users that the bug has now been patched and its security team is further investigating the incident.

"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information—specifically email address and phone number—by exploiting a bug in an Instagram API," Instagram said in a statement.

"No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation."

Instagram declined to name the high-profile users targeted in the breach, but the news comes two days after some unknown hacker hijacked most followed Instagram account belonged to Selena Gomez and posted her ex-boyfriend Justin Bieber's nude photographs.

Selena's Instagram account with over 125 Million followers was restored later in the day and the photos were removed.

However, Instagram did not mention if the recent data breach was related to Selena's hacked account.

With email addresses and phone numbers in their hands, the hackers next step could be used the information in tandem with social engineering techniques in an effort to gain access to verified users' Instagram accounts to embarrass them.

The company notified all verified users of the issue via an email and also encouraged them to be cautious if they receive suspicious or unrecognised phone calls, text messages, or emails.

Instagram users are also highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.

Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

Your Instagram is not as Private as You Think. Millions of private Instagram photos may have been exposed publicly on the web until the company patched a privacy hole this weekend.

Instagram team was unaware of a security vulnerability from long time which allowed anyone with access to an image’s URL to view the photo, even those shared by users whose accounts are set to “private.”

In other words, If a private user shares an Instagram post with another service, such as Twitter or Facebook as part of the upload process, that shared photo will remain viewable to the public despite its privacy settings.

The flaw was first reported by David Yanofsky at Quartz and Instagram acknowledged the issue last week before patching the flaw. In a statement to Quartz, an Instagram representative said:

'If you choose to share a specific piece of content from your account publicly, that link remains public but the account itself is still private,'

The Instagram vulnerability was only exploitable on the web, not in Instagram’s iOS and Android apps.

'In response to feedback, we made an update so that if people change their profile from public to private, web links that are not shared on other services are only viewable to their followers on Instagram.'

Even with the loophole closed, anyone can still able to share your images online without your permission by viewing the page source, or by taking a screenshot.

Though the such privacy flaw or any other potential controversy could have an impact on parent company Facebook.

In the era of Government surveillance, ensuring the security and safety of our private communications regardless of platform – email, VOIP, message, even cookies stored – should be the top priority of the Internet industry. Some industry came together to offer Encryption as the protection against government surveillance, but some left security holes that may expose your personal data.

A critical issue on Instagram’s Android Application has been disclosed by a security researcher that could allow an attacker to hijack users’ account and successfully access private photos, delete victim's photos, edit comments and also post new images.

Instagram, acquired by Facebook in April 2012 for approximately US$1 billion, is an online mobile photo-sharing, video-sharing and social networking service that enables its users to take pictures and videos, apply digital filters, and share them on a variety of social networking services, such as Facebook, Twitter, Tumblr and Flickr.

USING UNENCRYPTED HTTPS CONNECTION

Instagram’s Android Application communicates with its server over an unencrypted HTTP connection, which is susceptible to tampering by anyone in a position to intercept it, Mazin Ahmed, who discovered the vulnerability explained in a blog post.

“I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted),” said Mazin.

INSTAGRAM SESSION HIJACKING

He found that the unencrypted Instagram app communication also vulnerable to session hijacking flaw that can be done using a man-in-the-middle attack, common technique used by attackers to intercept wireless data traffic.

Reusing intercepted HTTP session cookies on another system/browser allows the attacker to hijack the session of the victim's Instagram account.

“As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.”

It is really surprising that the largest social networking giant Facebook ignored such a big issue in its most popular image and video sharing service and failed to take the maximum measure to insure the security of its users.

Mazin, who believes the issue might be getting exploited by the intelligence agencies for the purpose of surveillance, reported the vulnerability to the Facebook on 24th July, but its security team replied: “Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS.”

Facebook has decided to adopt complete HTTPS for its Instagram mobile application in near future but till now it is not clear that how much time it will take.

Today, the estimated number of known computer threats like viruses, worms, backdoors, exploits, Trojans, spyware, password stealers, and other variants of potentially unwanted software range into millions. It has ability to create several different forms of itself dynamically in order to thwart antimalware programs.

Instagram users are also targeted by the potentially unwanted software programs that claims to enable them to download their Instagram photos and videos using desktop machines or computers. But once downloaded and installed into system, it could expose the user to a number of security vulnerabilities, often overlap with adware, warned the security firm Malwarebytes.

"In the case of Instagram, what we've seen out there could pose greater risk than, say, your average phishing site," said Malwarebytes intelligence analyst Jovi Umawing in a blog post.

Instagram is a social networking service use for online photo-sharing and video-sharing. It allows its users to take pictures and videos, apply digital filters to them, and share them on other social networking services, such as Facebook, Twitter, Tumblr and Flickr.

With the growing popularity and concern among the internet users, Instagram is widely used by people. The firm expects that in the coming years the number of users will steadily increase until at least 2016, by considering the latest statistics from the digital marketing research and analysis company eMarketers published in late March, Instagram surpassed Twitter in terms of active mobile users in the US by 2.7 million, which is really a very large number.

“With news of Instagram finally beating Twitter in terms of overall usage, it’s high time that we stop, look back, and remind ourselves of the potential dangers lurking on the net specifically crafted to target Instagram users and lurkers alike,” the company warned in a blog post.

Malwarebytes found a number of files and sites as well that take advantage of software’s popularity and come bundled with the downloads of such third-party programs which includes a number of potentially unwanted programs (PUPs) that could spell bad news for users.

However, Potentially Unwanted Programs are not technically-classified as trojans or any other type of malware, but it serve little purpose other than using your computer as a gateway for online advertisements or as a catalyst to deliver annoying or malicious applications that may pester you to the point where you want to throw your computer out a window.

“Doing a Google search surely yields sites where one can download several programs involving Instagram. Some of which can either be classed as ‘image viewers’ or ‘image and video downloaders’ publicly-accessible accounts,” the firm wrote. "Since Instagram can be visited via Web browsers, we can easily say that these downloads target any Windows computer user who just want to keep copies of photos and videos that are likely not their own."

There are anti-malwares to detect these kinds of threats, but this is something that remains on the users’ hand as well because the increase in the number of potentially unwanted programs and its several variants could target online users and cause danger. So, avoid downloading such programs onto your personal systems.

Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos.

Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog.

During his bug hunting Nir found loopholes in Instagram’s security parameters i.e redirect_uri , that allows attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx.

POC : https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token In Second method, hacker Hijacks the Instagram accounts using the Facebook OAuth Dialog. "When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place. I discovered that an attacker can use virtually any domain in the redirect_uri, next parameter."

Here attacker can use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id to steal the access_token of victim's account.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Two days ago, we reported at The Hacker News about a critical issue in the most popular image and video sharing service, Instagram app for mobiles, that allows an attacker to hijack users’ account and successfully access private photos, delete victim's photos, edit comments and also post new images.

Yesterday, a London developer Stevie Graham has released a tool called “Instasheep” a play on the 2010 Facebook stealer Firesheep, a Firefox extension that can be used to compromise online accounts in certain circumstances automatically using a click of mouse.

Graham discovered the Instagram issue years ago and was shocked when he realized it hadn’t been fixed by Facebook yet. He released the tool after claiming Facebook refused to pay a bug bounty for his reported vulnerabilities affecting the Instagram iOS mobile application.

The largest social networking giant Facebook was reportedly aware of the issue related to its Instagram iOS app and was working on a fix by deploying HTTPS across its portfolio, but still it is not clear that how much time it will take.

The right use of vulnerability could expose iOS app users to man-in-the-middle (MitM) attacks as we earlier said Instagram sends some unencrypted data with the session cookie. An attacker could then reuse these intercepted HTTP session cookies on another system/browser to hijack the session of the victim's Instagram account.

"I don't agree the barrier to exploit is high. All it takes is one sufficiently skilled person to release a tool so simple even a script kiddie can use it. At that point Pandora's Box has been blown apart,” Graham wrote on YCombinator.

Instagram co-founder Mike Krieger has responded to issue via the same YCombinator website and said, “We’ve been steadily increasing our HTTPS coverage–Instagram Direct, for example, which we launched in late 2013, is 100% HTTPS. For the remainder of the app, especially latency-sensitive read endpoints like the main feed and other browsing experiences, we’re actively working on rolling out HTTPS while making sure we don’t regress on performance, stability, and user experience. This is a project we’re hoping to complete soon, and we’ll share our experiences in our eng blog so other companies can learn from it as well.”

Graham rolled out an “Instasheep” tool automating process in order to force Facebook’s hand, although the company ought to speed up its efforts on deploying HTTPS.

Instagram - Facebook’s popular photo sharing app for iOS, is currently has a vulnerability that could make your account susceptible to hackers. A security researcher Carlos Reventlov published on Friday another attack on Facebook's Instagram photo-sharing service that could allow a hacker to seize control of a victim's account.

"The Instagram app communicates with the Instagram API via HTTP and HTTPs connections. Highly sensitive activities, such as login and editing profile data, are sent through a secure channel. However, some other request are sent through plain HTTP without a signature, those request could be exploited by an attacker connected to the same LAN of the victim’s iPhone."

Vulnerability Details --The vulnerability is in the 3.1.2 version of Instagram's application, which is susceptible to “eavesdropping and man in the middle attacks that could lead an evil user to delete photos and download private media without the victim’s consent.

An attacker on the same LAN of the victim could launch a simple arpspoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine. When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.

The Secunia verified the attack and issued an advisory Here. The compromise uses a method called ARP (Address Resolution Protocol) spoofing, where the web traffic of the victim's mobile device is channeled through the attacker's computer. Reventlov wrote that it is then possible to intercept the plain-text cookie.

“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” Reventlov added. He says that the fix for Instagram is rather easy. For API calls that utilize sensitive information, simply use HTTPS, or Hypertext Transfer Protocol Secure. Find Proof of concept on Reventlov blog.

The highest followers account on Instagram owned by Selena Gomez has recently been hacked with unknown hackers posting a bunch of nude photographs of her ex-boyfriend Justin Bieber on her account.

The latest hack is not part of the ongoing Fappening events affecting a majority of celebrities by targeting their iCloud accounts, rather in the case of Selena, some hacker managed to breach her Instagram account and posted Bieber's photos.

Bieber's three full-frontal shots of naked photos were visible to Selena's 125 million Instagram followers for a short duration of time, after which her account was swiftly taken down Monday night.

A post from Selena's official Instagram account went up Monday showing 3 pics of Bieber with a caption that read:

"LOOK AT THIS N***A LIL SHRIMPY."

Selena's team has since re-secured her Instagram account, which was back online minutes after it was taken down, with the photos of Bieber deleted.

The Bieber nude images were not part of any stolen celebs photo dump, instead, they were clicked during his 2015 holiday in Bora Bora and also published online in 2015, when Bieber was dating model Jayde Pierce.

At that time, censored photos of Bieber were published by several websites, but uncensored versions also reached the Internet, which was posted on Selena's hacked Instagram account, claims Variety.

There's no detail about hackers or how they got into Selena's Instagram account available at the moment, but as we have previously seen many celebrities tricking into handing over their account credentials in phishing emails, the same could be the case with the "Good For You" singer.

It seems like celebrities are not taking the security of their accounts seriously, which once again resulted in the hack of social media account of an A-listed celebrity.

Today it's Selena, but tomorrow it could be you. So, users are highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.

Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

But, what would you do if a hacker had somehow managed to access your accounts’ passwords?

Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match.

Hence the concept of Two-Factor Authentication (2FA) born out!

Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking.

2-Factor Authentication or two-step verification is an additional security mechanism that certifies the user is legit after clearing dual identification step i.e. a randomly generated security code would be provided to the user via call/SMS for authentication.

2-Factor Authentication eliminates the hackers to intrude into your online accounts (even if they have your usernames and passwords).

Now, the Multimedia sharing Giant Instagram also joined the league by implementing two-step verification.

Better late than Never:

However, the decision to roll out 2FA feature could be criticized as it's parent company Facebook had already implemented it five years back.

The current users could not expect the new two-step verification feature to get released soon, as the company had mentioned that they would slowly release the phone verification feature.

But yes, there is good news for Singapore Residents. As the first roll would be out for Singaporeans.

Earlier, Instagram hacking was a deja vu as many videos and images of celebrities leaked online in the yesteryears.

Hackers could create havoc such as hijacking or deletion of Instagram Accounts, flooding the account with illegit contents and much more. Taylor Swift was one of such victims of the Instagram hack.

To save yourself from hackers you are recommended to enable 2-Factor Authentication when the Instagram security feature as soon as rolls for your country.

That’s what I said for a 10-year-old Finnish boy on our official Facebook page while sharing his recent achievement with our readers i.e. Winning $10,000 bug bounty from Instagram.

Last Tuesday when we at The Hacker News first acknowledged this talented boy and the flaw he discovered in image-sharing social network Instagram, I did not have an idea that the Facebook post would get an enormous response from our followers, encouraging me to introduce Jani to our website readers too.

Those who aren’t aware, Jani from Helsinki recently reported an Instagram bug to Facebook that allowed him to delete other Instagram users' comments just by entering a malicious code into the app's comment field.

"I would have been able to eliminate anyone's comment from Instagram, even Justin Bieber," Jani told a local newspaper.

Jani responsibly disclosed the vulnerability details to Facebook, who owns Instagram, in February and rewarded with €9000 (Over US$10,000) under Facebook’s bug bounty program. He said he will use the money to buy a football and a new bicycle.

Jani, whose last name is not being shared at the request of his parents, has been interested in coding and video games since the age of 8.

He has been learning about hacking and programming from instructional videos on YouTube, he told Finnish media, adding that his dream job is to become an information security expert. "It would be my dream job. Security is really important," he said.

The Finnish kid has previously discovered a number of vulnerabilities in different websites, but this Instagram bug made him the youngest publicly acknowledged bug bounty hunter to report a valid bug and earn reward.

Facebook, Instagram, Twitter, VK, Google's Picasa and Youtube were handing over user data access to a Chicago-based Startup — the developer of a social media monitoring tool — which then sold this data to law enforcement agencies for surveillance purposes, the ACLU disclosed Tuesday.

Government records obtained by the American Civil Liberties Union (ACLU) revealed that the big technology corporations gave "special access" to Geofeedia.

Geofeedia is a controversial social media monitoring tool that pulls social media feeds via APIs and other means of access and then makes it searchable and accessible to its clients, who can search by location or keyword to quickly find recently posted and publicly available contents.

The company has marketed its services to 500 law enforcement and public safety agencies as a tool to track racial protests in Ferguson, Missouri, involving the 2014 police shooting death of Mike Brown.

With the help of a public records request, the civil rights group found that Geofeedia had entered into agreements with Twitter, Facebook, and Instagram for their users' data, gaining a developer-level access to all three social networks that allowed them to review streams of user content in ways that regular users of the public cannot.

Facebook allowed the company to use its "Topic Feed API" that let Geofeedia obtain a "ranked feed of public posts" centered around specific hashtags, places or events.

Instagram provided Geofeedia access to its API (Application Programming Interface) that is a feed of data from users' public Instagram posts, including their location.

Twitter provided Geofeedia with "searchable access" to its database of public tweets. However, Twitter added additional contract terms in February to try to safeguard further against surveillance, and when found Geofeedia still touting its product as a tool to monitor protests, Twitter sent Geofeedia a cease and desist letter.

Facebook, Instagram, and Twitter have all moved to restrict access to Geofeedia after learning about the tool's activities when presented with the study's findings.

The ACLU is concerned that Geofeedia can "disproportionately impact communities of color" by monitoring activists and their neighborhoods.

Nicole Ozer, technology, and civil liberties policy director for the ACLU of California said: "These special data deals were allowing the police to sneak in through a side door and use these powerful platforms to track protesters."

However, in response to the ACLU report, Geofeedia posted Tuesday an article justifying its commitment to Freedom of Speech and Civil Liberties, releasing the following statement:

"Geofeedia has in place clear policies and guidelines to prevent the inappropriate use of our software; these include protections related to free speech and ensuring that end-users do not seek to inappropriately identify individuals based on race, ethnicity, religious, sexual orientation or political beliefs, among other factors."

Facebook said in a statement that Geofeedia only had access to publically available data, while Twitter said it was suspending access shortly.

The ACLU is encouraging social media companies to adopt clear, public, and transparent policies prohibiting developers from exploiting user data for surveillance purposes.

Smart hackers could exploit a loophole that could allow them to steal a significant amount of cash from Google, Microsoft and Instagram using a Premium rate phone number.

Security researcher Arne Swinnen from Belgium has discovered an ingenious way to steal money from big tech companies like Google, Microsoft, and Instagram using their two-factor authentication (2FA) voice-based token distribution systems.

Swinnen argues that any attacker with malicious intent could create fake Google, Microsoft or Instagram accounts, as well as premium phone services, and then link them together.

The attacker could then request 2FA voice-based tokens for all fake accounts using an automated scripts, placing legitimate phone calls to his service to earn him quite a nice profit.

Swinnen created accounts on Google, Microsoft Office 365 and Instagram and then tied them to a premium phone number instead of a regular one.

As a result, whenever one of these three services would call the account's phone number to send the user their account access code, the premium number would register an incoming call and bill the companies.

"They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate non-premium numbers," Swinnen says in his blog.

Although the Swinnen reported the loophole to all the three companies, he calculated that he could have stolen €432,000 per year from Google, €669,000 per year from Microsoft and €2,066,000 per year from Instagram.

You can learn more technical details about the hack in Swinnen's blog post.

Although no customer data was being put at risk through his hack, Facebook (who owns Instagram) and Microsoft rewarded Swinnen with $2000 and $500 via their bug bounty programs, while Google mentioned his name in the company's Hall of Fame.

The very popular Pop star Taylor Swift became the latest celebrity to have their social media accounts hacked on Tuesday.

The 25-year-old "Shake It Off" singer, who has the fourth-most popular Twitter account with 51.4 million followers, appeared to be asking her millions of followers to follow @veriuser and @lizzard.

Swift confirmed that her Twitter and Instagram accounts were hacked on Tuesday afternoon, and also that the rogue posts were quickly removed from the social media websites.

"My Twitter got hacked but don't worry, Twitter is deleting the hacker tweets and locking my account until they can figure out how this happened and get me new passwords," said a statement posted on Swift's personal Tumblr page.

The accounts were taken for just 15 minutes, but when it belongs to Taylor Swift, that makes it a big hit. At the time, a Tweet went out from @TaylorSwift13 to her millions of fans, saying, "go follow my boy, @lizzard :)"

Yes Lizzards are the same guys who recently took down Sony's PlayStation game networks, among other things, as @lizzard profile claimed to be the "Leader of Lizard Squad" — the hacking group that's ostensibly behind this attack.

The hackers not only took over her social media accounts, but also threatened Taylor Swift to release here nude pictures, on which the pop star says "none existed."

"Any hackers saying they have 'nudes'?" Swift tweeted after retaking control of her Twitter account. "Psssh you'd love that wouldn't you! Have fun photo-shopping cause you got NOTHING."

An Instagram photo sent out from Swift's account with over 20 million followers urged her fans to follow another user supposedly involved in the Twitter hack.

Both the Instagram photo and the rogue Tweets from her accounts have vanished. However, @lizzard and @veriuser's Twitter accounts have been suspended by Twitter.

Swift even mimicked the lyrics to her hit "Shake It Off" by tweeting, "Cause the hackers gonna hack, hack, hack, hack, hack ..."

Though, hacking the fourth largest profile on Twitter makes the hack one of the higher-profile breaches that has occurred on the network.

Google is reportedly going to launch a new online photo-sharing service and storage option at its developer conference later this month, which Bloomberg says, will not be a part of its Google+ social network.

At the moment, Google offers a photo sharing service known as "Google+ Photos," which comes pre-installed with every Android device. Google+ Photos automatically backs up photos in the device to Google cloud storage.

However, the new photo service will not be a part of Google+ network. It seems like the company’s attempts to bolster its product lineup and compete with the increasingly popular rivals like Facebook or Twitter to grow its user base.

Just the way like Facebook, who acquired the popular mobile photo-sharing service Instagram in 2012 and increased its user base to more than 300 Million users in one shot.

There aren’t many details about How the new Google photo service will work?

Whether the online photo storage part of the service will be free? Or...

Whether the search engine will charge you to store large chunks of photos on the new tool?

However, the source says that the new photo sharing tool, earlier rumored as Google Photos spinoff, will allow users to share their images with other social networking sites such as Facebook and Twitter.

We’ll soon have more details on Google’s new photos service as the search engine giant is most likely to unveil its independent photo sharing service at Google I/O annual software developers’ conference in San Francisco at the end of the month.

Popular instant messaging app WhatsApp has already been struggling for its existence in China ever since July when Chinese government blocked its users from sending photos and videos over the app.

Now, it appears that China has largely blocked Facebook-owned WhatsApp in its latest step to tighten censorship as the country prepares for a major Communist Party gathering next month.

Yes, WhatsApp no longer works in the country at all.

China has a long history of blocking and limiting access to web services, especially social networks and Western-owned sites through its Great Firewall. The service currently blocks some 171 out of the world's leading websites, including Wikipedia, Twitter, Facebook, Instagram, and many Google services in mainland China.

And now, it is WhatsApp.

Although it's unclear how long the messaging app may remain inaccessible in the country, according to Symbolic Software, a Paris-based research firm that monitors WhatsApp's situation in China, the country has restricted its users from sending even text-based WhatsApp messages within its borders.

WhatsApp was seeing severe disruptions as early as last Wednesday when some users reported WhatsApp disruptions in China, but at this time, the service has reportedly been completely blocked and only accessible via VPNs (virtual private networks) which can circumvent China's internet firewall.

But, in case you are unaware, China has begun a 14-month-long crackdown on VPNs and proxy services in the country and made it mandatory for all VPN providers to have a license from the government to use such services.

This move of censoring the end-to-end encrypted messaging app comes ahead of next month's 19th National Congress of the ruling Communist Party.

At this sensitive gathering, which takes place once every 5 years, the Chinese government will select new leaders and determine policy priorities.

By preventing its citizens from using WhatsApp, Chinese authorities hope to force them to use the secure messenger alternatives like WeChat, which offers the Chinese government with its citizens' personal data.

Neither WhatsApp nor its parent company Facebook has provided any comment on this censorship.

The move is a severe blow to the social media giant, whose main website and app have already been banned in China since at least 2009. Facebook-owned Instagram is also blocked in the country.

Now with the blocking of WhatsApp, Facebook's only left hope in China is the photo-sharing app, Colorful Balloons, which the social network stealthily released in the country last month.

The Chinese market is no doubt a pot of gold for big technology giants with over 700 million internet users, but the Chinese government heavily controls the Internet within its borders through its Golden Shield project – the Great Firewall of China.

The Great Firewall has blocked some 171 out of the world's leading websites, including Google, Facebook, Instagram, Twitter, Tumblr, Dropbox, and The Pirate Bay in the country.

But tech giants like Facebook and Google always try alternative ways to infiltrate the market.

Now it seems like Facebook is trying to secretly enter the largest populous market by releasing an all new social networking app in China that does not carry its brand.

Dubbed Colorful Balloons, the photo-sharing app appears to mimic the look and feel of Facebook's Moments, an app that allows its users to share photos with their friends and family members.

According to The New York Times, Facebook approved the release of Colorful Balloons back in May and released it through a Chinese company called Youge Internet Technology, without any affiliation with the social networking company.

China banned Facebook in July 2009, its photo-sharing app Instagram in 2014 and even partially blocked the largest instant messaging platform WhatsApp in July. Since then Facebook CEO Mark Zuckerberg trying to break into the world's biggest online market.

Zuckerberg has made a number of visits to China in recent years to re-enter in the market, meeting with Chinese government officials and reportedly working on a censorship tool for the country to help it suppress posts from appearing in a particular geographic area.

Colorful Balloons now gives the social networking company a way to get an idea on how Chinese users digitally share information with their families and friends or interact with their favourite social media platforms.

Like Moments, Colorful Balloons has been designed to collate photographs from your smartphone's photo albums and then share them, but in China, it does so with the use of a QR code used by WeChat.

Since the app is currently not widely distributed in the country, it is not clear if the Chinese government is aware of this Facebook's efforts. The Cyberspace Administration of China did not respond to a request for comment from the NYT.

In response to this news, Facebook said it's "spending time understanding and learning more about the country in different ways. Our focus right now is on helping Chinese businesses and developers expand to new markets outside China by using our ad platform."

The Chinese government is likely already reviewing the app in question, which could end up disappearing if the government find anything suspicious.